Cybercrime , Fraud Management & Cybercrime , Governance & Risk Management
Breach Roundup: Citrix Patch Not Sufficient
Also: Navy IT Manager Sentenced to 5 Years in Prison for Accessing DatabaseEvery week, Information Security Media Group rounds up cybersecurity incidents and breaches around the world. This week, Citrix's update was insufficient, a Navy IT manager was sentenced to prison for accessing a database, a Moldovan man pleaded not guilty to running a credentials marketplace, new details emerged on health data breaches, and a television advertising giant suffered a ransomware attack.
See Also: The Healthcare CISO’s Guide to Medical IoT Security
Citrix Update Not Sufficient
Patching isn't sufficient to mitigate a critical vulnerability in Citrix NetScaler products, said security researchers at Mandiant. Citrix released patches on Oct 10 for the flaw, tracked as CVE-2023-4966. Hackers could exploit the vulnerability to hijack authenticated sessions, allowing them to bypass multifactor authentication, warned Mandiant CTO Charles Carmakal. Even after the patch, attackers could use stolen session data to gain access, since authentication sessions persist even through an update, he wrote on LinkedIn.
Mandiant said it had observed hackers exploiting the zero-day beginning in late August. Hackers are anticipating patches by stealing session data and returning after the patch, the threat intel company said. It has seen hackers use the exploit to target professional services, technology and government organizations. "The most critical thing is that organizations need to do more than just apply the patch - they should also terminate all active sessions," Carmakal wrote.
Navy IT Manager Sentenced to Prison for Database Intrusion
A former IT manager with the U.S. Navy received a federal prison sentence of five years and five months after pleading guilty in March to conspiracy to commit wire fraud, wire fraud and aggravated identity theft.
His plea agreement shows that Marquis Hooper, 32, a former chief petty officer, in August 2018 opened an account with a company that sells access to sensitive personal information including Social Security numbers and birthdates. The California resident was able to do so by falsely stating that he needed access for his Navy duties. He added his wife and co-defendant Natasha Chalk to the account - and downloaded the data of more than 9,000 individuals, selling their data on the dark web in exchange for $160,000 worth of cryptocurrency. The unnamed database company closed the account in December 2018 after suspecting fraud.
Chalk, 39, a former Navy reservist, pleaded guilty to one count of conspiracy to commit wire fraud. She is scheduled for sentencing on Nov. 20 and faces a maximum statutory penalty of 20 years of imprisonment and a fine of $250,000. The couple agreed to restitution of up to $160,000 as part of their deal with prosecutors.
Moldovan Pleads Not Guilty to Running Credentials Marketplace
A Moldovan man pleaded not guilty Monday in U.S. federal court to charges that he was co-administrator of an illicit online marketplace selling access to hacked computers and servers. Sandu Boris Diaconu, 31, faced three counts of conspiracy and charges of access device fraud and computer fraud after British authorities extradited the Moldovan national. Federal prosecutors said Diaconu, along with an unnamed co-defendant, operated the now-defunct E-Root Marketplace.
E-Root, which prosecutors said authorities seized in 2020 in an international law enforcement operation, specialized in selling remote desktop protocol and secure socket shell credentials. Diaconu - aka "WinD3str0y," "utmsandu," "sandushell" and "rootarhive" - and his co-conspirator allegedly established the English-speaking forum in January 2015.
British authorities arrested Diaconu when he attempted to leave the United Kingdom in May 2021. He fought extradition to the United States until September, the U.S. Department of Justice said. Diaconu faces a maximum penalty of 20 years in federal prison.
Another MOVEit Breach
Arietis Health, a Florida-based provider of revenue cycle management to medical practices, said the May mass hack of MOVEit file transfer software affected almost 2 million patients of client practices. The breach, disclosed through a report to the U.S. Department of Health and Human Services, involved a MOVEit instance whose hacking ultimately affected 55 healthcare providers, including NorthStar Anesthesia in Texas. Arietis Health, which used MOVEit file transfer software in billing services for NorthStar, posted a breach notice on its website (see: Firm Notifies Patients of 55 Health Practice of MOVEit Hack).
Emsisoft's tally of MOVEit victims currently stands at 66 million individuals and 2,553 organizations.
Television Advertising Giant Suffers Ransomware Attack
Television advertising giant Ampersand - jointly owned by Comcast, Charter and Cox - fell prey to a ransomware attack that briefly disrupted operations. The company, a key player in the advertising industry for over four decades, confirmed the incident without specifying the breach date or whether a ransom would be paid. Ampersand, which provides advertisers with TV viewership data across 165 networks, said it has restored most operations and is collaborating with law enforcement and advisors. The Black Basta ransomware group claimed responsibility. The extent of data theft remains undisclosed. All three of the co-owning companies have faced cybersecurity incidents in recent years, highlighting the pervasive threats in the industry.
US and UAE Sign Financial Cybersecurity Cooperation Agreement
The United States and the United Arab Emirates solidified a memorandum of understanding on cybersecurity cooperation for the financial sector. The agreement, signed by the U.S. Department of Treasury and the UAE's Cyber Security Council, emphasizes increased information sharing on digital threats, staff training, visits and joint online exercises. The agreement aligns with the upcoming International Counter Ransomware Initiative summit set to be hosted by the White House on Oct. 31.
With reporting from ISMG's Marianne Kolbasuk McGee in the Boston exurbs and David Perera in Washington, D.C.